Question about views

Barry Margolin barmar at alum.mit.edu
Thu Feb 12 21:07:02 UTC 2009 

In article <gn13lj$1geu$1 at sf1.isc.org>, JAFFO <neil.braebaum at gmail.com> 
wrote:

> I have a question regarding views, and the decisions that can be based
> on network scenario. I'm not entirely sure whether it's possible to
> provide resolution for the scenario I describe, but I thought I'd ask
> the question.
> 
> I have a new small environment of machines (Unix =96 mainly Linux) that
> need to be able to resolve hostnames (and potentially reverse lookups)
> purely within this firewalled small number of subnets. On the main LAN
> is a reasonably large DNS environment (mostly Windows 2003 DNS
> servers). Between the LAN and the environment I'm describing, is a
> firewall, among other things performing NAT.
> 
> In the new small setup, I'm going to be running one server running
> BIND (9.3.5-p2). Ideally, I'd like the namespace in this new
> environment to be a subdomain of the parent DNS server on my main LAN,
> and be delegated to the BIND server in the new envionment. The new
> environment doesn't need to resolve any hosts in the main LAN, but DNS
> in the LAN needs to resolve to the available translated addresses from
> the new environment.
> 
> What I was envisaging doing, was setting up views in the new
> environment, one being defined by the subnets in the new environment =96
> notionally =93local=94, and everything else being =93alien=94. The problem =
> for
> me being the way NAT is currently being implemented, and I don't yet
> know whether that's something that can be changed.
> 
> Say the subnets in the new environment are: 10.228.6.x, 10.228.7.x and
> 10.228.8.x (24 bit subnet mask). Currently, traffic from the main LAN
> will be seen as (translated by NAT) as coming from singular IP
> addresses on each of these subnets, eg: on 10.228.6.x, LAN traffic
> seen as coming from 10.228.6.248; on 10.228.7.x, LAN traffic as
> 10.228.7.248; and on 10.228.8.x as 10.228.8.248. The last octet (for
> the translated incoming traffic) is common, ie 248 on each subnet.

That seems very strange to me.  Usually NAT is used to translate between 
different subnets, not to consolidate a subnet into a single address in 
the same subnet.  It's typically used because there's no route to the 
subnet requiring translation.  If the outside environment has a route to 
10.228.6.248, why can't that same route be used for the rest of 
10.228.6.x?

> 
> Using views, is it possible, to provide answers for =93local=94 view data
> for a range of IP addresses on each subnet, and / or an external view
> for anything coming from a specific IP address on that subnet?

Views are checked in the order that they appear in named.conf, and the 
first one that matches is used.  The match list can contain both 
inclusions and exclusions, so you can use something this to match the 
subnets except for the NAT IPs:

match-source { 10.228.6.0/24; !10.228.6.248;
               10.228.7.0/24; !10.228.7.248;
               10.228.8.0/24; !10.118.6.248;};

> 
> Or will that not be possible (or horrendously complex), and a more
> easily segmented implementation of NAT be required (ie say LAN traffic
> all appears to come from one, or a number of subnets: eg 10.228.88.x,
> 10.228.89.x and 10.228.90.x)?
> 
> Thanks in advance for any advice or help.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list